Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

11/14/2018
02:30 PM
Ryan Orsi
Ryan Orsi
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

Understanding Evil Twin AP Attacks and How to Prevent Them

The attack surface remains largely unprotected from Wi-Fi threats that can result in stolen credentials and sensitive information as well as backdoor/malware payload drops.

It's been nearly 20 years since IEEE 802.11b was released and the world got the first Wi-Fi-branded products. And yet the Layer 2 attack surface remains largely unprotected from dangerous Wi-Fi threats that can result in stolen credentials and sensitive information as well as backdoor/malware payload drops. Attackers have been exploiting a fundamental issue with Wi-Fi: Laptops, smartphones, and connected devices aren't equipped to distinguish between two radios broadcasting the same SSID name. This allows hackers to use malicious access points (APs) that eavesdrop on traffic, establish "man-in-the-middle" (MitM) positions, and extract sensitive information, often without leaving any traces behind.  

One of the most dangerous Wi-Fi threat categories is undoubtedly "evil twin" APs, an attack technique nearly two decades old. In fact, the US Department of Justice recently charged hackers within the Russian military agency GRU with implementing evil twin AP attacks to steal credentials and "plant espionage-oriented malware" targeting organizations such as anti-doping agencies, nuclear power operations, and chemical testing laboratories.

How did these GRU attacks work? The threat actor used 802.11 radios to broadcast the same SSIDs as offices and hotels in order to trick victims' devices into associating, thereby establishing their MitM position and supplying Internet service through 4G LTE connections to evade network security. Let's take a closer look at evil twin attacks to better understand defense best practices and techniques.

Analyzing Evil Twin AP Attacks
In a normal Wi-Fi connection, a person's client device (image below) associates with a legitimate AP. 



When an evil twin AP is present, a threat actor broadcasts the same SSID as the legitimate AP (and often the same BSSID or MAC address of the SSID) to fool the device into connecting (image below).

In the case of the GRU evil twin attacks, hackers reportedly used a popular pen-testing tool — the Wi-Fi Pineapple from Hak5 — connected to high-gain antennas, battery packs, and a mobile 4G LTE WAN backhaul connection located in the trunks of their cars or carried within backpacks into buildings. The Wi-Fi Pineapple automates much of the labor required to set up an evil twin attack.

While within range of the target SSID, attackers begin by broadcasting the same SSID. This is straightforward and can even be done on smartphones with data plans that allow mobile Wi-Fi hotspot tethering. Attackers looking to avoid drawing suspicion toward antennas and battery packs typically opt for a popular tool called bettercap, which can run natively on Linux, Mac, Windows, and Android systems.

The bettercap command used to configure a fake SSID to be broadcasted natively from a laptop or other client is "wifi.ap.ssid."

 

Additionally, it's important to note that evil twin attackers need to use clients with a radio capable of "monitoring mode."

If the target SSID is a busy open hotspot, victim clients will connect to the evil twin AP within seconds. If the target is a private, PSK-encrypted SSID, then the attacker would need knowledge of the PSK (a service offered online that requires packet capture files of the WPA/WPA2 handshake sequence).

Most Wi-Fi clients and their human operators choose to "auto join" previously saved Wi-Fi networks. If the attacker can't successfully trick the victim into connecting to the evil twin, he can simply break the connection between the victim and any legitimate AP he or she is using by flooding a client and/or associated AP with spoofed de-authentication frames in what's called a de-authentication attack. This means that the target device and AP are informed that their connection has been dropped.

Once a client is connected to the evil twin AP, the attack is over. This entire process is used to allow attackers to establish MitM positions from which they can siphon packets and inject malware or backdoors onto victim devices for remote access. Once in a MitM position, the attacker has complete control over the Wi-Fi session. These cybercriminals can leverage well-known tools to duplicate popular login forms for social sites or email hosting platforms, intercept the credentials in plain text, forward them to the real websites, and log in the user. As the target, you might believe you've simply logged in to your email account as always — but in reality, you have handed your credentials over to an attacker.

Preventing Evil Twin AP Attacks
Businesses offering Wi-Fi to their employees and customers can use wireless intrusion prevention systems (WIPS) to detect the presence of an evil twin AP and prevent any managed corporate clients from connecting to them. (Full disclosure: WatchGuard is one of a number of companies that provide such services.) 

For Wi-Fi users, an evil twin AP is nearly impossible to detect because the SSID appears legitimate and the attackers typically provide Internet service. In most cases, the best way to stay safe on unfamiliar Wi-Fi networks is to always use a VPN to encapsulate the Wi-Fi session in another layer of security.

Unfortunately, much of the innovation in the Wi-Fi space has been limited to elements like radio range, throughput, and connectivity rather than security. Without a greater industrywide emphasis on Wi-Fi security, or set criteria for evaluating Wi-Fi security in general, many networking and security professionals lack the clarity they need to successfully prevent Wi-Fi threats. Education is key, as is a broader conversation about the level of security and protection we expect and demand from Wi-Fi solutions today.

Related Content:

 

Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Ryan Orsi is Director of Product Management at WatchGuard Technologies, a global leader in network security providing products and services to more than 80,000 customers worldwide. Ryan leads the Secure Wi-Fi solutions for WatchGuard. He has experience bringing disruptive ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
ddvzlnz
100%
0%
ddvzlnz,
User Rank: Apprentice
11/15/2018 | 9:37:04 AM
Tunnel Through the Evil Twins
Nice article on a subject it seems like people don't think about anymore.

 

I always use a TinyHardwareFirewall when I'm on open networks.  My laptop talks to the THF and it talks to the Acesss Point. The first thing I do is start the VPN and then go about my business.  I expect all of my zeros and ones to be viewable on an open network so I make sure they are all ecrypted.

Also, don't let your devices automaticly connect to any SSID it recognizes.  That is like having your house automaticly open the door whenever someone rings the doorbell.

 

 
ryanorsi
50%
50%
ryanorsi,
User Rank: Author
11/15/2018 | 9:04:54 PM
Re: Tunnel Through the Evil Twins
Great advice here, particularly the one about not letting your devices auto-connect to previously joined SSIDs.  Take note everyone, clear your saved Wi-Fi network SSID names from your client devices.  I know it can be a pain, but if you want to see the consequences, just do a quick web search for 'Ryan Orsi Pineapple' and you'll get the picture.  Pineapples are great pen-testing tools by the way, helping push the industry in the right direction towards a safer Wi-Fi experience for users.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15208
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, when determining the common dimension size of two tensors, TFLite uses a `DCHECK` which is no-op outside of debug compilation modes. Since the function always returns the dimension of the first tensor, malicious attackers can ...
CVE-2020-15209
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, a crafted TFLite model can force a node to have as input a tensor backed by a `nullptr` buffer. This can be achieved by changing a buffer index in the flatbuffer serialization to convert a read-only tensor to a read-write one....
CVE-2020-15210
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, if a TFLite saved model uses the same tensor as both input and output of an operator, then, depending on the operator, we can observe a segmentation fault or just memory corruption. We have patched the issue in d58c96946b and ...
CVE-2020-15211
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, saved models in the flatbuffer format use a double indexing scheme: a model has a set of subgraphs, each subgraph has a set of operators and each operator has a set of input/output tensors. The flatbuffer format uses indices f...
CVE-2020-15212
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 2.2.1 and 2.3.1, models using segment sum can trigger writes outside of bounds of heap allocated buffers by inserting negative elements in the segment ids tensor. Users having access to `segment_ids_data` can alter `output_index` and then write to outside of `outpu...